[apiserver] validate A/AAAA IP formats and fix silent misclassification

Skip unparseable IPs in DomainToDomainRecords instead of silently
bucketing them as A records. Add format validation in DomainRecord.validate()
to reject non-IPv4 values in dns.a and non-IPv6 values in dns.aaaa.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: dilyevsky

api/core/v1alpha3/domainrecord_types.go

@@ -3,7 +3,6 @@ package v1alpha3
 import (
 	"context"
 	"fmt"
-	"net"
 	"strings"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -85,10 +84,13 @@ type DomainRecordTarget struct {
 // DomainRecordTargetDNS specifies DNS record data. Exactly one field must be populated.
 // The populated field determines the DNS record type.
 type DomainRecordTargetDNS struct {
-	// IPs holds A/AAAA record addresses.
-	// The record type (A vs AAAA) is determined by the IP address format.
+	// A holds IPv4 A record addresses.
 	// +optional
-	IPs []string `json:"ips,omitempty"`
+	A []string `json:"a,omitempty"`
+
+	// AAAA holds IPv6 AAAA record addresses.
+	// +optional
+	AAAA []string `json:"aaaa,omitempty"`
 
 	// FQDN holds a CNAME record target.
 	// +optional
@@ -146,8 +148,11 @@ func (d *DomainRecordTargetDNS) DNSFieldKey() string {
 	if d == nil {
 		return ""
 	}
-	if len(d.IPs) > 0 {
-		return "ips"
+	if len(d.A) > 0 {
+		return "a"
+	}
+	if len(d.AAAA) > 0 {
+		return "aaaa"
 	}
 	if d.FQDN != nil {
 		return "fqdn"
@@ -191,7 +196,10 @@ func (d *DomainRecordTargetDNS) PopulatedFieldCount() int {
 		return 0
 	}
 	count := 0
-	if len(d.IPs) > 0 {
+	if len(d.A) > 0 {
+		count++
+	}
+	if len(d.AAAA) > 0 {
 		count++
 	}
 	if d.FQDN != nil {
@@ -346,8 +354,11 @@ func domainRecordTargetString(r *DomainRecord) string {
 	}
 	if r.Spec.Target.DNS != nil {
 		dns := r.Spec.Target.DNS
-		if len(dns.IPs) > 0 {
-			return formatMultiValue(dns.IPs, 40)
+		if len(dns.A) > 0 {
+			return formatMultiValue(dns.A, 40)
+		}
+		if len(dns.AAAA) > 0 {
+			return formatMultiValue(dns.AAAA, 40)
 		}
 		if dns.FQDN != nil {
 			return truncateString(*dns.FQDN, 40)
@@ -386,33 +397,31 @@ func domainRecordTargetString(r *DomainRecord) string {
 	return ""
 }
 
-// domainRecordTypeString returns the DNS record type for display.
-func domainRecordTypeString(r *DomainRecord) string {
-	if r.Status.Type != "" {
-		return r.Status.Type
-	}
+// deriveRecordType returns the DNS record type string for a DomainRecord.
+func deriveRecordType(r *DomainRecord) string {
 	if r.Spec.Target.Ref != nil {
 		return "Ref"
 	}
 	if r.Spec.Target.DNS != nil {
-		dns := r.Spec.Target.DNS
-		if len(dns.IPs) > 0 {
-			if ip := net.ParseIP(dns.IPs[0]); ip != nil && ip.To4() == nil {
-				return "AAAA"
-			}
-			return "A"
-		}
-		if dns.FQDN != nil {
+		if r.Spec.Target.DNS.FQDN != nil {
 			return "CNAME"
 		}
-		key := dns.DNSFieldKey()
+		key := r.Spec.Target.DNS.DNSFieldKey()
 		if key != "" {
 			return strings.ToUpper(key)
 		}
 	}
 	return ""
 }
 
+// domainRecordTypeString returns the DNS record type for display.
+func domainRecordTypeString(r *DomainRecord) string {
+	if r.Status.Type != "" {
+		return r.Status.Type
+	}
+	return deriveRecordType(r)
+}
+
 // domainRecordTTL returns the effective TTL for display.
 func domainRecordTTL(r *DomainRecord) int32 {
 	if r.Spec.TTL != nil {

api/core/v1alpha3/domainrecord_validate.go

@@ -3,6 +3,7 @@ package v1alpha3
 import (
 	"context"
 	"fmt"
+	"net"
 	"strings"
 
 	"k8s.io/apimachinery/pkg/runtime"
@@ -22,13 +23,21 @@ func (r *DomainRecord) Default() {
 
 var _ resourcestrategy.PrepareForCreater = &DomainRecord{}
 
-// PrepareForCreate derives metadata.name from spec when the user omits it.
+// PrepareForCreate derives metadata.name from spec when the user omits it
+// and sets status.type from the populated DNS field.
 func (r *DomainRecord) PrepareForCreate(ctx context.Context) {
 	r.GenerateName = ""
-	if r.Name != "" {
-		return // user provided a name; Validate will check it
+	if r.Name == "" {
+		r.Name = r.derivedName()
 	}
-	r.Name = r.derivedName()
+	r.Status.Type = deriveRecordType(r)
+}
+
+var _ resourcestrategy.PrepareForUpdater = &DomainRecord{}
+
+// PrepareForUpdate re-derives status.type on updates.
+func (r *DomainRecord) PrepareForUpdate(ctx context.Context, old runtime.Object) {
+	r.Status.Type = deriveRecordType(r)
 }
 
 var _ resourcestrategy.Validater = &DomainRecord{}
@@ -155,6 +164,27 @@ func (r *DomainRecord) validate() field.ErrorList {
 		if count > 1 {
 			errs = append(errs, field.Forbidden(targetPath.Child("dns"), "exactly one DNS field must be populated, found multiple"))
 		}
+
+		dns := r.Spec.Target.DNS
+		dnsPath := targetPath.Child("dns")
+		for i, addr := range dns.A {
+			ip := net.ParseIP(addr)
+			if ip == nil || ip.To4() == nil {
+				errs = append(errs, field.Invalid(
+					dnsPath.Child("a").Index(i), addr,
+					"must be a valid IPv4 address",
+				))
+			}
+		}
+		for i, addr := range dns.AAAA {
+			ip := net.ParseIP(addr)
+			if ip == nil || ip.To4() != nil {
+				errs = append(errs, field.Invalid(
+					dnsPath.Child("aaaa").Index(i), addr,
+					"must be a valid IPv6 address",
+				))
+			}
+		}
 	}
 
 	// tls is only valid when target.ref is set.

api/core/v1alpha3/zz_generated.deepcopy.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"net"
 
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -492,7 +493,10 @@ func dnsTargetEqual(a, b *corev1alpha3.DomainRecordTargetDNS) bool {
 	if a == nil || b == nil {
 		return false
 	}
-	if !stringSliceEqual(a.IPs, b.IPs) {
+	if !stringSliceEqual(a.A, b.A) {
+		return false
+	}
+	if !stringSliceEqual(a.AAAA, b.AAAA) {
 		return false
 	}
 	if !stringPtrEqual(a.FQDN, b.FQDN) {
@@ -581,11 +585,32 @@ func DomainToDomainRecords(domain *corev1alpha3.Domain) []corev1alpha3.DomainRec
 		dns := domain.Spec.Target.DNS
 
 		if dns.IPs != nil && len(dns.IPs.Addresses) > 0 {
-			dr := newDNSRecord(domain, "ips", dns.IPs.TTL)
-			dr.Spec.Target.DNS = &corev1alpha3.DomainRecordTargetDNS{
-				IPs: append([]string(nil), dns.IPs.Addresses...),
+			var v4, v6 []string
+			for _, addr := range dns.IPs.Addresses {
+				ip := net.ParseIP(addr)
+				if ip == nil {
+					continue
+				}
+				if ip.To4() == nil {
+					v6 = append(v6, addr)
+				} else {
+					v4 = append(v4, addr)
+				}
+			}
+			if len(v4) > 0 {
+				dr := newDNSRecord(domain, "a", dns.IPs.TTL)
+				dr.Spec.Target.DNS = &corev1alpha3.DomainRecordTargetDNS{
+					A: v4,
+				}
+				records = append(records, dr)
+			}
+			if len(v6) > 0 {
+				dr := newDNSRecord(domain, "aaaa", dns.IPs.TTL)
+				dr.Spec.Target.DNS = &corev1alpha3.DomainRecordTargetDNS{
+					AAAA: v6,
+				}
+				records = append(records, dr)
 			}
-			records = append(records, dr)
 		}
 		if dns.FQDN != nil {
 			dr := newDNSRecord(domain, "fqdn", dns.FQDN.TTL)
@@ -760,11 +785,14 @@ func DomainRecordsToDomainSpec(records []corev1alpha3.DomainRecord) corev1alpha3
 		}
 
 		dns := r.Spec.Target.DNS
-		if len(dns.IPs) > 0 {
-			spec.Target.DNS.IPs = &corev1alpha3.DNSAddressRecords{
-				Addresses: append([]string(nil), dns.IPs...),
-				TTL:       copyInt32Ptr(r.Spec.TTL),
+		if len(dns.A) > 0 || len(dns.AAAA) > 0 {
+			if spec.Target.DNS.IPs == nil {
+				spec.Target.DNS.IPs = &corev1alpha3.DNSAddressRecords{
+					TTL: copyInt32Ptr(r.Spec.TTL),
+				}
 			}
+			spec.Target.DNS.IPs.Addresses = append(spec.Target.DNS.IPs.Addresses, dns.A...)
+			spec.Target.DNS.IPs.Addresses = append(spec.Target.DNS.IPs.Addresses, dns.AAAA...)
 		}
 		if dns.FQDN != nil {
 			fqdn := *dns.FQDN